Posted
by
msmash
on Tuesday July 11, 2017 @01:22PM
from the new-Linux-distros dept.

Reader BrianFagioli writes: Today, Fedora 26 sheds its pre-release status and becomes available for download as a stable release. GNOME fans are in for a big treat, as version 3.24 is default. If you stick to stable Fedora releases, this will be your first time experiencing that version of the desktop environment since it was released in March. Also new is LibreOffice 5.3, which is an indispensable suite for productivity. If you still use mp3 music files I've moved onto streaming), support should be baked in for both encoding and decoding. "The latest version of Fedora's desktop-focused edition provides new tools and features for general users as well as developers. GNOME 3.24 is offered with Fedora 26 Workstation, which includes a host of updated functionality including Night Light, an application that subtly changes screen color based on time of day to reduce effect on sleep patterns, and LibreOffice 5.3, the latest update to the popular open source office productivity suite. For developers, GNOME 3.24 provides matured versions of Builder and Flatpak to make application development for a variety of systems, including Rust and Meson, easier across the board," says the Fedora Project.

Posted
by
EditorDavid
on Sunday July 09, 2017 @02:10PM
from the kernel-copyrights dept.

Bruce Perens co-founded the Open Source Initiative with Eric Raymond. Now he's sharing a "strong opinion" that companies should avoid the Grsecurity security patch for the Linux kernel "because it presents a contributory infringement and breach of contract risk." Slashdot reader NewGnu shared Bruce's comments:
[I]t would fail a fair-use test... Because of its strongly derivative nature of the kernel, it must be under the GPL version 2 license, or a license compatible with the GPL and with terms no more restrictive than the GPL. Earlier versions were distributed under GPL version 2... My understanding from several reliable sources is that customers are verbally or otherwise warned that if they redistribute the Grsecurity patch, as would be their right under the GPL, that they will be assessed a penalty: they will no longer be allowed to be customers, and will not be granted access to any further versions of Grsecurity. GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition...

This is tantamount to the addition of a term to the GPL prohibiting distribution or creating a penalty for distribution. GPL section 6 specifically prohibits any addition of terms. Thus, the GPL license, which allows Grsecurity to create its derivative work of the Linux kernel, terminates, and the copyright of the Linux Kernel is infringed. The contract from the Linux kernel developers to both Grsecurity and the customer which is inherent in the GPL is breached.
Perens advises companies to discuss his position with their attorneys, adding "In the public interest, I am willing to discuss this issue with companies and their legal counsel, under NDA, without charge."

Posted
by
EditorDavid
on Sunday July 09, 2017 @10:50AM
from the survey-says dept.

After collating 30,171 responses, Phoronixhas released some results from their first Linux Laptop Survey. An anonymous reader quotes their report:
To little surprise, Ubuntu was the most popular Linux distribution running on the respondents' laptops. 38.9% of the respondents were said to be using Ubuntu while interesting in second place was Arch Linux at 27.1% followed by Debian at 15.3%. Rounding out the top ten were then Fedora at 14.8%, Linux Mint in 5th at 10.8%, openSUSE/SUSE in sixth at 4.2%, Gentoo in seventh at 3.9%, CentOS/RHEL in eighth at 3.1%, Solus in ninth at 2%, and Manjaro in tenth at 1.6%. The other Linux distributions had each commanded less than 1% of the overall response.
Only 10.3% of respondents said their most recent laptop purchase came pre-loaded with Linux. But 29.3% are now dual-booting their Linux laptop with Windows, while another 4.4% were dual-booting with yet another Linux distribution.

Posted
by
BeauHDon Thursday July 06, 2017 @07:20PM
from the remote-entry dept.

An anonymous reader quotes a report from The Hacker News: WikiLeaks has today published the 15th batch of its ongoing Vault 7 leak, this time detailing two alleged CIA implants that allowed the agency to intercept and exfiltrate SSH (Secure Shell) credentials from targeted Windows and Linux operating systems using different attack vectors. Secure Shell or SSH is a cryptographic network protocol used for remote login to machines and servers securely over an unsecured network. Dubbed BothanSpy -- implant for Microsoft Windows Xshell client, and Gyrfalcon -- targets the OpenSSH client on various distributions of Linux OS, including CentOS, Debian, RHEL (Red Hat), openSUSE and Ubuntu. Both implants steal user credentials for all active SSH sessions and then sends them to a CIA-controlled server.

Posted
by
BeauHDon Thursday July 06, 2017 @06:00AM
from the fresh-start dept.

An anonymous reader quotes a report from Bleeping Computer: A new feature added in test snapshots for the upcoming OpenBSD 6.2 release will create a unique kernel every time an OpenBSD user reboots or upgrades his computer. This feature is named KARL -- Kernel Address Randomized Link -- and works by relinking internal kernel files in a random order so that it generates a unique kernel binary blob every time. Currently, for stable releases, the OpenBSD kernel uses a predefined order to link and load internal files inside the kernel binary, resulting in the same kernel for all users. Developed by Theo de Raadt, KARL will work by generating a new kernel binary at install, upgrade, and boot time. If the user boots up, upgrades, or reboots his machine, the most recently generated kernel will replace the existing kernel binary, and the OS will generate a new kernel binary that will be used on the next boot/upgrade/reboot, constantly rotating kernels on reboots or upgrades. KARL should not be confused with ASLR -- Address Space Layout Randomization -- a technique that randomizes the memory address where application code is executed, so exploits can't target a specific area of memory where an application or the kernel is known to run. A similar technique exists for randomizing the memory location where the kernel loads -- called KASLR. The difference between the two is that KARL loads a different kernel binary in the same place, while KASLR loads the same binary in random locations. Currently Linux and Windows only support KASLR.

Posted
by
BeauHDon Wednesday July 05, 2017 @07:20PM
from the welcome-to-the-club dept.

BrianFagioli writes via BetaNews: Would you be surprised if I told you that threat methods for Linux increased an astonishing 300 percent in 2016, while Microsoft's operating systems saw a decrease? Well, according to a new report, that is true. Does this mean Linux is unsafe? No way, Jose! There are some important takeaways here. Microsoft's Windows operating systems are still the most targeted platforms despite the year over year decline -- far beyond Linux. Also, just because there is an increase in malware attack methods doesn't necessarily mean that more systems will be infected. Let us not forget that it is easier to find a vulnerability with open source too; Microsoft largely uses closed source code. "At the end of November, criminals with other variants of the same Linux malware unleashed devastating attacks against DSL routers of Telekom customers. 900,000 devices were taken down. In October, the Mirai code appeared freely available on the Internet. Since then, the AV-TEST systems have been investigating an increasing number of samples with spikes at the end of October, November and beginning of December," says AV Test of the Mirai malware. "Other Linux malware, such as the Tsunami backdoor, has been causing trouble for several years now and can be easily modified for attacks against IoT devices. The detection systems of AV-TEST first detected the Tsunami malicious code in the year 2003. Although, at that time, practically no IoT devices existed, the Linux backdoor already offered attack functions which even today would be suitable for virtually unprotected attacks on routers: In this manner, Tsunami can download additional malicious code onto infected devices and thus make devices remote controllable for criminals. But the old malware can also be used for DDoS attacks. The Darlloz worm, known since 2013, as well as many other Linux and Unix malware programs, have similar attack patterns which AV-TEST has been detecting and analyzing for years."

Posted
by
EditorDavid
on Monday July 03, 2017 @03:34AM
from the big-bugs dept.

ITWire reports:
A flaw in systemd, the init system used on many Linux systems, can be exploited using a malicious DNS query to either crash a system or to run code remotely. The vulnerability resides in the daemon systemd-resolved and can be triggered using a TCP payload, according to Ubuntu developer Chris Coulson. This component can be tricked into allocating less memory than needed for a look-up. When the reply is bigger it overflows the buffer allowing an attacker to overwrite memory. This would result in the process either crashing or it could allow for code execution remotely. "A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved in to allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it," is how Coulson put it.
Affected Linux vendors have pushed out patches -- but the bug has apparently been present in systemd code since June of 2015. And long-time Slashdot reader walterbyrd also reports a recently-discovered bug where systemd unit files that contain illegal usernames get defaulted to root.

Posted
by
EditorDavid
on Monday July 03, 2017 @12:34AM
from the kernel-mustered dept.

prisoninmate quotes Softpedia:
After seven weeks of announcing release candidate versions, Linus Torvalds today informs the Linux community through a mailing list announcement about the general availability of the Linux 4.12 kernel series. Development on the Linux 4.12 kernel kicked off in mid-May with the first release candidate, and now, seven weeks later we can finally get our hands on the final release... A lot of great improvements, new hardware support, and new security features were added during all this time, which makes it one of the biggest releases, after Linux 4.9...

Prominent features of the Linux 4.12 kernel include initial support for AMD Radeon RX Vega graphics cards, intial Nvidia GeForce GTX 1000 "Pascal" accelerated support, implementation of Budget Fair Queueing (BFQ) and storage-I/O schedulers, more MD RAID enhancements, support for Raspberry Pi's Broadcom BCM2835 thermal driver, a lot of F2FS optimizations, as well as ioctl for the GETFSMAP space mapping ioctl for both XFS and EXT4 filesystems.
Linus said in announcing the release that "I think only 4.9 ends up having had more commits," also noting that 4.9 was a Long Term Support kernel, whereas "4.12 is just plain big."

"There's also nothing particularly odd going on in the tree - it's all just normal development, just more of it than usual."

Posted
by
EditorDavid
on Sunday July 02, 2017 @12:10AM
from the softening-systemd-suspicions dept.

Thursday Lproven (Slashdot reader #6030) wrote:
It appears that Ubuntu is using a feature it has added -- intended to insert headlines of breaking tech news (security alerts and so on) into the Message of the Day displayed at login to the console -- to display advertising and promotional messages.
The message in question linked to a Hacker Noon article titled "How HBO's Silicon Valley built 'Not Hotdog' with mobile TensorFlow, Keras & React Native." Later that day Dustin Kirkland, a Ubuntu Product Manager for the feature's design (and the Core Developer for its implementation) suggested the message had been mistaken for an ad, describing it on Hacker News as a "fun fact... an interesting tidbit of potpourri from the world of Ubuntu," and later saying it was intended like Google's doodles. "Last week's message actually announced an Ubuntu conference in Latin America. The week before, we linked to an article asking for feedback on Kubuntu. Before that, we announced the availability of Extended Security Maintenance updates for 12.04. And so on." He later confirmed Canonical received no money for the message, and also pointed out that the messages all come from an open source repository, and "You're welcome to propose your own messages for merging, if you have a well formatted, informative message for Ubuntu users."

Posted
by
BeauHDon Thursday June 29, 2017 @07:20PM
from the shiny-and-new dept.

BrianFagioli writes: Not content with simply following Canonical and embracing vanilla GNOME, System76 has decided to take its future into its own hands. Today, the company releases the first alpha of an all-new Linux-based operating system called "Pop!_OS," which will eventually be the only OS pre-loaded on its computers. While it will still be based on Ubuntu and GNOME, System76 is tweaking it with its own style and included drivers. In other words, the company is better controlling the user experience, and that is smart.

"The Pop!_OS community is in its infancy. This is a fantastic time to engage with and help develop the processes and practices that will govern the future development of the operating system and its community. The team is currently opening up planning for the development roadmap, code of conduct, discussion forums, and the processes surrounding code contribution. Progress made on Pop!_OS has established an inviting, modern, and minimalist look and has improved the first-use experience including streamlining installation and user setup. Work on the first release, scheduled for October 19th, centers on appearance, stability, and overall tightness of the user experience followed by adding new features and greater customization ability," says System76. You can check out the project on GitHub here and download the alpha ISO here. For more information, the company has set up a subreddi.

Posted
by
msmash
on Wednesday June 28, 2017 @01:00PM
from the go-update dept.

Celarent Darii writes: There is a vulnerability in the latest ubuntu distributions due to the DNS resolver included in systemd. The inclusion of the dns resolver was lamented by many on the mailing list, not without cause. All are advised to update their distribution.

Posted
by
EditorDavid
on Saturday June 24, 2017 @06:58PM
from the Linus-on-Linux dept.

Linus Torvalds appeared in a new "fireside chat" with VMware Head of Open Source Dirk Hohndel. An anonymous reader writes:
Linus explained what still surprises him about Linux development. "Code that I thought was stable continually gets improved. There are things we haven't touched for many years, then someone comes along and improves them or makes bug reports in something I thought no one used. We have new hardware, new features that are developed, but after 25 years, we still have old, very basic things that people care about and still improve... Our processes have not only worked for 25 years, we still have a very strong maintainer group... And as these maintainers get older and fatter, we have new people coming in."

Linus also says he's surprised by the widespread popularity of Git. "I expected it to be limited mostly to the kernel -- as it's tailored to what we do... In certain circles, Git is more well known than Linux." And he also shares advice if you want to get started as an open source developer. "I'm not sure my example is the right thing for people to follow. There are a ton of open source projects and, if you are a beginning programmer, find something you're interested in that you can follow for more than just a few weeks... If you can be part of a community and set up patches, it's not just about the coding, but about the social aspect of open source. You make connections and improve yourself as a programmer."
Linus also says that "I really like what I'm doing. I like waking up and having a job that is technically interesting and challenging without being too stressful so I can do it for long stretches; something where I feel I am making a real difference and doing something meaningful not just for me."

Posted
by
EditorDavid
on Saturday June 24, 2017 @04:50PM
from the life-of-Pi dept.

DeviceGuru writes: Results from LinuxGizmos.com's annual hacker-friendly single board computer survey are in, and not surprisingly, the Raspberry Pi 3 is the most desired maker SBC by a 4-to-1 margin. In other trends: x86 SBCs and Linux/Arduino hybrids have trended upwards. The site's popular hacker SBC survey polled 1,705 survey respondents and asked for their first, second, and third favorite SBCs from a curated list of 98 community oriented, Linux- and Android-capable boards. Spreadsheets comparing all 98 SBCs' specs and listing their survey vote tallies are available in freely downloadable Google Docs.
Other interesting findings:

"A Raspberry Pi SBC has won in all four of our annual surveys, but never by such a high margin."

"The Raspberry Pi's success came despite the fact that it offers some of the weakest open source hardware support in terms of open specifications. This, however, matches up with our survey responses about buying criteria, which ranks open source software support and community over open hardware support."

"Despite the accelerating Raspberry Pi juggernaut, there's still plenty of experimentation going on with new board models, and to a lesser extent, new board projects."

Posted
by
EditorDavid
on Saturday June 24, 2017 @12:34PM
from the escalating-privileges dept.

msm1267 writes: Linux, BSD, Solaris and other open source systems are vulnerable to a local privilege escalation vulnerability known as Stack Clash that allows an attacker to execute code at root. Major Linux and open source distributors made patches available Monday, and systems running Linux, OpenBSD, NetBSD, FreeBSD or Solaris on i386 or amd64 hardware should be updated soon.

The risk presented by this flaw, CVE-2017-1000364, becomes elevated especially if attackers are already present on a vulnerable system. They would now be able to chain this vulnerability with other critical issues, including the recently addressed Sudo vulnerability, and then run arbitrary code with the highest privileges, said researchers at Qualys who discovered the vulnerability.

Posted
by
EditorDavid
on Saturday June 24, 2017 @10:34AM
from the survey-says dept.

Phoronix is hosting a 2017 Linux Laptop Survey. From their site:
While Linux laptop compatibility is much better than where it was years ago, it's still not too uncommon to run into display/hybrid issues, shorter battery life under Linux than Windows or macOS, touchpad problems, and other occasional compatibility/performance shortcomings. So we've established this Linux Laptop Survey in conjunction with Linux stakeholders to hopefully gather more feedback that will be useful to many different parties...
The survey will be online until July 6th, after which the results will be publicly available, and will determine the most popular brands, distros, screen sizes, and GPUs, as well as common pain points and popular price points. And one particularly interestng question asks respondents what they'd like to see in a "dream Linux laptop."

Posted
by
msmash
on Friday June 23, 2017 @12:40PM
from the Mr.-Torvalds-speaks dept.

Linus Torvalds: What I find interesting is code that I thought was stable continually gets improved. There are things we haven't touched for many years, then someone comes along and improves them or makes bug reports in something I thought no one used. We have new hardware, new features that are developed, but after 25 years, we still have old, very basic things that people care about and still improve. I really like what I'm doing. I like waking up and having a job that is technically interesting and challenging without being too stressful so I can do it for long stretches; something where I feel I am making a real difference and doing something meaningful not just for me. I occasionally have taken breaks from my job. The 2-3 weeks I worked on Git to get that started for example. But every time I take a longer break, I get bored. When I go diving for a week, I look forward to getting back. I never had the feeling that I need to take a longer break.

Posted
by
BeauHDon Wednesday June 21, 2017 @08:05PM
from the two-in-one dept.

Futurepower(R) writes: What is the best way to isolate a network from the internet and prevent
intrusion of malware, while allowing carefully examined data transfer
from internet-facing computers? An example of complete network isolation could be that each user would have two computers with a KVM switch and a monitor and keyboard, or two monitors and two keyboards. An internet-facing computer could run a very secure version of Linux. Any data to be transferred to that user's computer on the network would
perhaps go through several Raspberry Pi computers running Linux; the computers
could each use a different method of checking for malware. Windows computers on the isolated network could be updated using Autopatcher, so that there would never be a direct connection with the internet. Why not use virtualization? Virtualization does not provide enough separation; there is the possibility of vulnerabilities. Do you have any ideas about improving the example above?

Posted
by
BeauHDon Tuesday June 20, 2017 @08:00PM
from the onward-and-upward dept.

jmv writes: The Opus audio codec, used in WebRTC and now included in all major web browsers, gets another major upgrade with the release of version 1.2. This release brings quality improvements to both speech and music, while remaining fully compatible with RFC 6716. There are also optimizations, new options, as well as many bug fixes. This Opus 1.2 demo describes a few of the upgrades that users and implementers will care about the most. It includes audio samples comparing to previous versions of the codec, as well as speed comparisons for x86 and ARM.

Posted
by
EditorDavid
on Sunday June 18, 2017 @09:24AM
from the unreleased-LTS-releases dept.

prisoninmate writes: Development of the Linux 4.14 kernel series did not even start, as the version that's being developed these days is Linux 4.12, which should be promoted to stable early next month, but Softpedia reports that renowned Linux kernel maintainer Greg Kroah-Hartman announced earlier this morning that the upcoming Linux 4.14 kernel series will be an LTS (Long Term Support) branch. The developer promises to support the Linux 4.14 kernel series for at least two years after its release in November 2017, probably until November 2019.

Posted
by
msmash
on Thursday June 15, 2017 @01:20PM
from the good-call dept.

Reader sqorbit writes: Munich spent a lot of time (9 years) and a lot of money in shifting some 15,000 staff to a Linux-based OS. The plan now is to move to Windows 10 by 2021. Munich's Green Party is citing the WannaCry virus as a valid reason not to switch to Windows. "As with many of the biggest attacks, the computers that were mainly hit were running the Windows operating system," the Green Party said in a statement.

Posted
by
EditorDavid
on Sunday June 11, 2017 @03:18AM
from the easy-as-Pi dept.

An anonymous reader quotes Hot Hardware:
If you're a Raspberry Pi user who's never changed the default password of the "pi" user, then heed this warning: change it. A brand new piece of malware has hit the web, called "Linux.MulDrop.14", and it preys on those who haven't secured their devices properly... After scanning for RPis with an open (and default) SSH port, the "pi" user is logged into (if the password is left default), and the password is subsequently changed. After that, the malware installs ZMap and sshpass software, and then it configures itself. The ultimate goal of Linux.MulDrop.14 is to make digital money for someone else, namely the author of the malware, using your Raspberry Pi.

Posted
by
EditorDavid
on Saturday June 10, 2017 @02:48PM
from the verge-of-virtual-privacy dept.

darthcamaro writes: Back in April, when Docker announced its LinuxKit effort, the primary focus appeared to just be [tools for] building a container-optimized Linux distribution. As it turns out, security is also a core focus -- with LinuxKit now incubating multiple efforts to help boost Linux kernel security. Among those efforts is the Wireguard next generation VPN that could one day replace IPsec. "Wireguard is a new VPN for Linux using the cryptography that is behind some of the really good secure messaging apps like Signal," said Nathan McCauley, Director of Security at Docker Inc.
According to the article, Docker also has several full-time employees looking at ways to reduce the risk of memory corruption in the kernel, and is also developing a new Linux Security Module with more flexible access control policies for processes.

Posted
by
msmash
on Tuesday June 06, 2017 @07:20PM
from the working-together dept.

An anonymous reader shares an article: Canonical is playing host to a 'fractional scaling hackfest' in its Taipei offices this week. Both GNOME developers and Ubuntu developers are in attendance, ready to wrestle with the aim: improve GNOME HiDPI support. Ubuntu's Unity desktop (I'm told, anyhow) plays fairly nice with high DPI monitors because the shell supports fractional scaling (though most apps, I believe, do not). Furthermore, users can tweak some high DPI settings to better suit their display(s). GNOME Shell also supports HiDPI monitors, but has, until now, been a little less flexible about it. "Currently, we only allow to scale windows by integral factors (typically 2). This proves somewhat limiting as there are many systems that are just in between the dpi ranges that are good for scale factor 2, or unscaled," the hackfest page explains.

Posted
by
msmash
on Tuesday June 06, 2017 @11:25AM
from the new-browser-updates dept.

An anonymous reader writes: Google has launched Chrome 59 for Windows, Mac, and Linux. Among the additions are native notifications on macOS, settings being revamped to follow Material Design, the Image Capture API, Headless Chrome, and more service worker improvements. You can update to the latest version now using the browser's built-in silent updater or download it directly from google.com/chrome.

Posted
by
EditorDavid
on Sunday June 04, 2017 @03:57PM
from the Kodi-capable dept.

BrianFagioli writes: Unfortunately, Kodi is not its own operating system, meaning it has to be run on top of an OS. Sure, you could use Windows 10, but that is overkill if you only want to run Kodi. Instead, a lightweight Linux distribution that only serves to run the media center is preferable. One of the most popular such distros is OpenELEC. It can run on traditional PC hardware, but also Raspberry Pi, and, my favorite — WeTek boxes. Today, version 8.0.4 achieves stable release. It is a fairly ho-hum update, focusing mostly on fixes and stability.

Posted
by
EditorDavid
on Sunday June 04, 2017 @12:09PM
from the forks-for-phones dept.

An anonymous reader quotes Phoronix:
UBports continues to be the leading community project for trying to let Ubuntu Touch live on and evolve under their direction... Among their recent achievements were acquiring more sponsors, all devices that were sold with Ubuntu Touch can now run with UBports' builds, they are working on their own version of Mozilla's AGPS Location Service to replace Canonical's GPS system, the Halium OS platform continues evolving, the Dekko email client is back under development, installation improvements are being worked on, they are still striving for Wayland support, and more.The UBports Patreon page has even raised enough to allow UBports founder Marius Gripsgard to work full-time on what they're calling "a beautiful, free and open-source mobile OS." Their recent community update announced that "we are seeing more activity on Ubuntu Touch than for a very long time, and that is really encouraging."

Posted
by
BeauHDon Wednesday May 31, 2017 @11:30PM
from the power-of-technology dept.

mspohr shares an excerpt from an article written by Cory Doctorow via The Guardian: The inequality of badly-run or corrupt states is boosted by the power of technology -- but it's also easier than ever to destabilize these states, thanks to technology. The question is: which future will prevail?" [The article discusses two sides to the issue:] Here's the bad news: technology -- specifically, surveillance technology -- makes it easier to police disaffected populations, and that gives badly run, corrupt states enough stability to get themselves into real trouble. Here's the good news: technology -- specifically, networked technology -- makes it easier for opposition movements to form and mobilize, even under conditions of surveillance, and to topple badly run, corrupt states. Long before the internet radically transformed the way we organize ourselves, theorists were predicting we'd use computers to achieve ambitious goals without traditional hierarchies -- but it was a rare pundit who predicted that the first really successful example of this would be an operating system (GNU/Linux), and then an encyclopedia (Wikipedia). [Cory also has a new novel, Walkaway, which explores these ideas further.] The future will see a monotonic increase in the ambitions that loose-knit groups can achieve. My new novel, Walkaway, tries to signpost a territory in our future in which the catastrophes of the super-rich are transformed into something like triumphs by bohemian, anti-authoritarian "walkaways" who build housing and space programs the way we make encyclopedias today: substituting (sometimes acrimonious) discussion and (sometimes vulnerable) networks for submission to the authority of the ruling elites.

Posted
by
EditorDavid
on Saturday May 27, 2017 @02:34PM
from the data-about-distros dept.

An anonymous reader quotes DistroWatch:
Natanael Copa has announced the release of Alpine Linux 3.6.0. Alpine Linux is an independent, minimal operating system that is well suited to running servers, routers and firewalls. Version 3.6.0 introduces support for 64-bit POWER machines, 64-bit IBM z Systems computers and features many up to date packages, including PHP 7.1, LLVM 4.0 and version 6.3 of the GNU Compiler.
"Noteworthy new packages" include Rust 1.17.0 and Cargo 0.18.0, as well as Julia 0.5.2, as we ll as "significant updates" like Go 1.8, Python 3.6, and Ruby 2.4. And in addition, "MD5 and SHA-1 hashes have been removed from APKBUILDs, being obsoleted by SHA-512."

Posted
by
EditorDavid
on Saturday May 27, 2017 @12:34PM
from the not-so-shallow-bugs dept.

Long-time Slashdot reader williamyf was the first to share news of "a wormable bug [that] has remained undetected for seven years in Samba verions 3.5.0 onwards." Ars Technica reports:
Researchers with security firm Rapid7...said they detected 110,000 devices exposed on the internet that appeared to run vulnerable versions of Samba. 92,500 of them appeared to run unsupported versions of Samba for which no patch was available... Those who are unable to patch immediately can work around the vulnerability by adding the line nt pipe support = no to their Samba configuration file and restart the network's SMB daemon. The change will prevent clients from fully accessing some network computers and may disable some expected functions for connected Windows machines.
The U.S. Department of Homeland Security's CERT group issued an anouncement urging sys-admins to update their systems, though SC Magazine cites a security researcher arguing this attack surface is much smaller than that of the Wannacry ransomware, partly because Samba is just "not as common as Windows architectures." But the original submission also points out that while the patch came in fast, "the 'Many eyes' took seven years to 'make the bug shallow'."

Posted
by
BeauHDon Thursday May 25, 2017 @07:20PM
from the come-and-get-it dept.

prisoninmate quotes a report from Softpedia: Announced for the first time back in November 2014, Devuan is a Debian fork that doesn't use systemd as init system. It took more than two and a half years for it to reach 1.0 milestone, but the wait is now over and Devuan 1.0.0 stable release is here. Based on the packages and software repositories of the Debian GNU/Linux 8 "Jessie" operating system, Devuan 1.0.0 "Jessie" is now considered the first stable version of the GNU/Linux distribution, which stays true to its vision of developing a free Debian OS without systemd. This release is recommended for production use. As Devuan 1.0.0 doesn't ship with systemd, several adjustments needed to be made. For example, the distro uses a systemd-free version of the NetworkManager network connection manager and includes several extra libsystemd0-free packages in its repository.

Posted
by
EditorDavid
on Monday May 22, 2017 @07:34AM
from the heading-for-Tails dept.

BrianFagioli quotes BetaNews: Today, Tails achieves an important milestone. Version 3.0 reaches RC status -- meaning the first release candidate (RC1). In other words, it may soon be ready for a stable release -- if testing confirms as much. If you want to test it and provide feedback, you can download the ISO now. This is quite the significant upgrade, as the operating system is moving to a new base — Debian 9 "Stretch." The Debian kernel gets upgraded to 4.9.0-3, which is based on Linux kernel 4.9.25. As previously reported back in February, Tails 3.0 will drop 32-bit processor support too.

Using Tor is a huge part of the privacy aspect of Tails, and the tor web browser sees an update to 7.0a4. Tor itself is updated to 0.3.0.7-1. Less important is the move from Icedove to Thunderbird for email. This is really in name only, as Debian has begun using the "Thunderbird" branding again. From a feature perspective, it is inconsequential.

Posted
by
EditorDavid
on Monday May 22, 2017 @05:34AM
from the dev-null dept.

prisoninmate quotes Softpedia: As it's not an LTS (Long Term Support) branch, the Linux 4.10 kernel series was doomed to reach end of life sooner or later, and it happened this weekend with the release of the Linux kernel 4.10.17 patch, which is a major one changing a total of 103 files, with 981 insertions and 538 deletions. Therefore, users are now urged to move to the Linux 4.11 kernel series. If you're using a GNU/Linux distribution powered by a kernel from the Linux 4.10 series you need to update to version 4.10.17 as soon as it makes its way into the stable repositories. However, please inform your OS vendor that they need to upgrade the kernel packages to the Linux 4.11 series immediately.

Posted
by
EditorDavid
on Sunday May 21, 2017 @09:34AM
from the snappier-than-Snaps dept.

An anonymous reader writes:
Steam and Slack are now both included as Flatpak applications on the Endless OS, a free Linux distribution built upon the decades of evolution of the Linux operating system and the contributions of thousands of volunteers on the GNOME project. The beauty of Flatpak is the ability to bridge app creators and Linux distributions using a universal framework, making it possible to bring this kind of software to operating systems that encourage open collaboration...

As an open-source deployment mechanism, Flatpak was developed by an independent cohort made up of volunteers and contributors from supporting organizations in the open-source community. Alexander Larsson, lead developer of Flatpak and principal engineer at Red Hat, provided comment saying, "We're particularly excited about the opportunity Endless affords to advance the benefits of open-source environments to entirely new audiences."

Posted
by
msmash
on Friday May 19, 2017 @04:00PM
from the stranger-things dept.

Reader BrianFagioli writes: I was sort of hopeful for Windows 10 S when Microsoft made a shocking announcement at Build 2017 that it is bringing Linux distributions to the Windows Store. This gave the impression that students using the S variant of the OS would be able to tinker with Linux. Unfortunately, this is not the case as Microsoft will be blocking Linux on the new OS. In other words, not all apps in the store will be available for Windows 10 S. "Windows 10 S does not run command-line applications, nor the Windows Console, Cmd / PowerShell, or Linux/Bash/WSL instances since command-line apps run outside the safe environment that protects Windows 10 S from malicious / misbehaving software," says Rich Turner, Senior Product Manager, Microsoft. Tuner further explains, "Linux distro store packages are an exotic type of app package that are published to the Windows Store by known partners. Users find and install distros , safely, quickly, and reliably via the Windows Store app. Once installed, however, distros should be treated as command-line tools that run outside the UWP sandbox and secure runtime infrastructure. They run with the capabilities granted to the local user -- in the same way as Cmd and PowerShell do. This is why Linux distros don't run on Windows 10 S: Even though they're delivered via the Windows Store, and installed as standard UWP APPX's, they run as non-UWP command-line tools and this can access more of a system than a UWP can."

Posted
by
msmash
on Thursday May 18, 2017 @03:20PM
from the open-mic dept.

An anonymous reader writes: The thing is, WannaCry isn't the first of its kind. In fact, ransomware has been exploiting Windows vulnerabilities for a while. The first known ransomware attack was called "AIDS Trojan" that infected Windows machines back in 1989. This particular ransomware attack switched the autoexec.bat file. This new file counted the amount of times a machine had been booted; when the machine reached a count of 90, all of the filenames on the C drive were encrypted. Windows, of course, isn't the only platform to have been hit by ransomware. In fact, back in 2015, the LinuxEncoder ransomware was discovered. That bit of malicious code, however, only affected servers running the Magento ecommerce solution. The important question here is this: Have their been any ransomware attacks on the Linux desktop? The answer is no. With that in mind, it's pretty easy to draw the conclusion that now would be a great time to start deploying Linux on the desktop. I can already hear the tired arguments. The primary issue: software. I will counter that argument by saying this: Most software has migrated to either Software as a Service (SaaS) or the cloud. The majority of work people do is via a web browser. Chrome, Firefox, Edge, Safari; with few exceptions, SaaS doesn't care. With that in mind, why would you want your employees and staff using a vulnerable system? [...] Imagine, if you will, you have deployed Linux as a desktop OS for your company and those machines work like champs from the day you set them up to the day the hardware finally fails. Doesn't that sound like a win your company could use? If your employees work primarily with SaaS (through web browsers), then there is zero reason keeping you from making the switch to a more reliable, secure platform.

Posted
by
msmash
on Thursday May 11, 2017 @11:20AM
from the going-forward dept.

At its Build developer conference today, Microsoft announced that Ubuntu has arrived in the Windows Store. From a report: The company also revealed that it is working with Fedora and Suse to bring their distributions to the Windows Subsystem for Linux (WSL) in Windows 10. At the conference last year, Microsoft announced plans to bring the Bash shell to Windows. The fruits of that labor was WSL, a compatibility layer for running Linux binary executables (in ELF format) natively on Windows, which arrived with the Windows 10 Anniversary Update released in August 2016. Microsoft also partnered with Canonical to allow Ubuntu tools and utilities to run natively on top of the WSL. By bringing Ubuntu to the Windows Store, the company is now making it even easier for developers to install the tools and run Windows and Linux apps side by side. Working with other Linux firms shows that Microsoft's deal with Canonical was not a one-time affair, but rather part of a long-term investment in the Linux world.

Posted
by
msmash
on Tuesday May 09, 2017 @12:40PM
from the inside-story dept.

An anonymous reader writes: Canonical was doing well with Ubuntu and cloud and container-related technologies, such as Juju, LXD, and Metal-as-a-Service (MaaS). In addition, its OpenStack and Kubernetes software stacks, according to Shuttleworth, are growing by leaps and bounds on both the public and private cloud. Canonical founder Mark Shuttleworth said "in the last year, Ubuntu cloud growth had been 70 percent on the private cloud and 90 percent on the public cloud." In particular, "Ubuntu has been gaining more customers on the big five public clouds." What hadn't succeeded was Canonical's attempt to make Unity the universal interface for desktops, tablets, and smartphones. Shuttleworth was personally invested in this project, but at day's end, it wasn't getting enough adoption to make it profitable. So, Shuttleworth said with regret, Unity had to be dropped. This move also means Canonical will devote more of its time to "putting the company on the path to a IPO. We must figure out what steps we need to take moving forward." That means focusing on Canonical's most profitable lines. Specifically, "Ubuntu will never die. Ubuntu is the default platform on cloud computing. Juju, MaaS, and OpenStack are nearly unstoppable. We need to work out more of our IoT path. At the same time, we had to cut out those parts that couldn't meet an investors' needs. The immediate work is get all parts of the company profitable."

Posted
by
msmash
on Monday May 08, 2017 @04:50PM
from the shape-of-things-to-come dept.

More details have emerged about Fuchsia, the new mobile OS Google has been working on. ArsTechnica reports that Fuchsia is not based on Linux (unlike Android and Chrome OS). Instead, the OS uses a new, Google-developed microkernel called "Magenta." From the article: With Fuchsia, Google would not only be dumping the Linux kernel, but also the GPL: the OS is licensed under a mix of BSD 3 clause, MIT, and Apache 2.0. Dumping Linux might come as a bit of a shock, but the Android ecosystem seems to have no desire to keep up with upstream Linux releases. Even the Google Pixel is still stuck on Linux Kernel 3.18, which was first released at the end of 2014. [...] The interface and apps are written using Google's Flutter SDK, a project that actually produces cross-platform code that runs on Android and iOS. Flutter apps are written in Dart, Google's reboot of JavaScript which, on mobile, has a focus on high-performance, 120fps apps. It also has a Vulkan-based graphics renderer called "Escher" that lists "Volumetric soft shadows" as one of its features, which seems custom-built to run Google's shadow-heavy "Material Design" interface guidelines. The publication put the Flutter SDK to test on an Android device to get a sneak peek into the user interface of Fuchsia. "The home screen is a giant vertically scrolling list. In the center you'll see a (placeholder) profile picture, the date, a city name, and a battery icon," the author wrote. "Above the are 'Story' cards -- basically Recent Apps -- and below it is a scrolling list of suggestions, sort of like a Google Now placeholder. Leave the main screen and you'll see a Fuchsia 'home' button pop up on the bottom of the screen, which is just a single white circle."

Posted
by
EditorDavid
on Sunday May 07, 2017 @03:35PM
from the come-along-and-share-the-Stallman dept.

After our article about Richard Stallman's new video interview, Slashdot reader silverjacket shared this recent profile from Psychology Today that describes Richard Stallman's quest "to save us from a web of spyware -- and from ourselves."
By using proprietary software, Stallman believes, we are forfeiting control of our computers, and thus of our digital lives. In his denunciation of all nonfree software as inherently abusive and unethical, he has alienated many possible allies and followers. But he is not here to make friends. He is here to save us from a software industry he considers predatory in ways we've yet to recognize... for Stallman, moralism is the whole point. If you write or use free software only for practical reasons, you'll stop when it's inconvenient, and freedom will disappear.
Stallman collaborator Eben Moglen -- a law professor at Columbia, as well as the FSF's general counsel -- assesses Stallman's legacy by saying "the idea of copyleft and the proposition that social and political freedom can't happen in a society without technological freedom -- those are his long-term meanings. And humanity will be aware of those meanings for centuries, whatever it does about them." The article also includes quotes from Linus Torvalds and Eric S. Raymond -- along with some great artwork.

In addition to insisting the reporter refer to Linux as "GNU/Linux," Stallman also required that the article describe free software without using the term open source, a phrase he sees as "a way that people who disagree with me try to cause the ethical issues to be forgotten." And he ultimately got Psychology Today to tell its readers that "Nearly all the software on our phones and computers, as well as on other machines, is nonfree or 'proprietary' software and is riddled with spyware and back doors installed by Apple, Google, Microsoft, and the like."

"Please note that this update does not constitute a new version of Debian 8 but only updates some of the packages included. There is no need to throw away old 'jessie' CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated."
Debian 8.8 contains more than 150 bug fixes and security updates.

Posted
by
EditorDavid
on Saturday May 06, 2017 @05:04PM
from the contentious-community-processes dept.

An anonymous reader quotes InfoWorld:
The next edition of standard Java had been proceeding toward its planned July 27 release after earlier bumps in the road over modularity. But now Red Hat and IBM have opposed the module plan. "JDK 9 might be held up by this," Oracle's Georges Saab, vice president of development for the Java platform, said late Wednesday afternoon. "As is the case for all major Java SE releases, feedback from the Java Community Process may affect the timeline..."

Red Hat's Scott Stark, vice president of architecture for the company's JBoss group, expressed a number of concerns about how applications would work with the module system and its potential impact on the planned Java Enterprise Edition 9. Stark also said the module system, which is featured in Java Specification Request 376 and Project Jigsaw, could result in two worlds of Java: one for Jigsaw and one for everything else, including Java SE classloaders and OSGI. Stark's analysis received input from others in the Java community, including Sonatype.
"The result will be a weakened Java ecosystem at a time when rapid change is occurring in the server space with increasing use of languages like Go," Stark wrote, also predicting major challenges for applications dealing with services and reflection. His critique adds that "In some cases the implementation...contradicts years of modular application deployment best practices that are already commonly employed by the ecosystem as a whole." And he ultimately concludes that this effort to modularize Java has limitations which "almost certainly prevent the possibility of Java EE 9 from being based on Jigsaw, as to do so would require existing Java EE vendors to completely throw out compatibility, interoperability, and feature parity with past versions of the Java EE specification."

Posted
by
EditorDavid
on Saturday May 06, 2017 @12:44PM
from the adding-encoding dept.

An anonymous reader quotes Fedora Magazine:
Both MP3 encoding and decoding will soon be officially supported in Fedora. Last November the patents covering MP3 decoding expired and Fedora Workstation enabled MP3 decoding via the mpg123 library and GStreamer... The MP3 codec and Open Source have had a troubled relationship over the past decade, especially within the United States. Historically, due to licensing issues Fedora has been unable to include MP3 decoding or encoding within the base distribution... A couple of weeks ago IIS Fraunhofer and Technicolor terminated their licensing program and just a few days ago Red Hat Legal provided the permission to ship MP3 encoding in Fedora.

Posted
by
EditorDavid
on Saturday May 06, 2017 @10:34AM
from the Init-Freedom dept.

An anonymous reader quotes The Register:
Devuan Linux has released its second release candidate... A 1.0.0 release candidate emerged just under a fortnight ago and today the developers announced Devuan Jessie 1.0.0 RC2. New in this cut of the code is a systemd-free version of network-manager, new versions of reportbug, desktop-base and xfce4-panel. GNOME, KDE, and Cinnamon have been removed from tasksel, but can still be installed although they "are known to suffer from some glitches due to the lack of systemd."
The Devuan web site says this series of release candidates "marks an important milestone towards the sustainability and the continuation of Devuan as a universal base distribution." And their announcement describes Devuan as "the Debian that was and could have been. Our goal is to provide a viable and sustainable alternative...a new path, nurtured with your help and support."

Posted
by
msmash
on Tuesday May 02, 2017 @11:00AM
from the sneak-peek dept.

Brian Fagioli, writing for BetaNews: The uncertainty about Ubuntu has not deterred the Linux Mint team, however, as they are moving ahead with plans for version 18.2. While details about the upcoming version of the operating system are scarce, we have learned two important details. First, the code name for the OS will be 'Sonya,' and second, the distro will use LightDM as default display manager.

Posted
by
msmash
on Monday May 01, 2017 @01:20PM
from the going-forward dept.

Debian's release team has decided to postpone its implementation of Secure Boot. From a report: In a release update from last week, release team member Jonathan Wiltshire wrote that "At a recent team meeting, we decided that support for Secure Boot in the forthcoming Debian 9 'stretch' would no longer be a blocker to release. The likely, although not certain outcome is that stretch will not have Secure Boot support." "We appreciate that this will be a disappointment to many users and developers," he continued, "However, we need to balance that with the limited time available for the volunteer teams working on this feature, and the risk of bugs being introduced through rushed development." The decision not to offer Secure Boot support at release leaves Debian behind Red Hat and Suse, making it the only one of Linux's three main branches not to support the heir-to-BIOS and the many security enhancements it offers.

Posted
by
EditorDavid
on Monday May 01, 2017 @03:34AM
from the released-candidate dept.

prisoninmate quotes Softpedia: Linux kernel 4.11 has been in development for the past two months, since very early March, when the first Release Candidate arrived for public testing. Eight RCs later, we're now able to download and compile the final release of Linux 4.11 on our favorite GNU/Linux distributions and enjoy its new features. Prominent ones include scalable swapping for SSDs, a brand new perf ftrace tool, support for OPAL drives, support for the SMC-R (Shared Memory Communications-RDMA) protocol, journalling support for MD RAID5, all new statx() system call to replace stat(2), and persistent scrollback buffers for VGA consoles... The Linux 4.11 kernel also introduces initial support for Intel Gemini Lake chips, which is an Atom-based, low-cost computer processor family developed using Intel's 14-nanometer technology, and better power management for AMD Radeon GPUs when the AMDGPU open-source graphics driver is used.

Posted
by
EditorDavid
on Sunday April 30, 2017 @12:29AM
from the free-Dmitry dept.

An anonymous reader writes:
"Dmitry Bogatov, Debian developer and Tor node admin, is still being held in a Moscow jail," tweeted the EFF Saturday. IT Wire reports that the 25-year-old math teacher was arrested earlier this month "on suspicion of organizing riots," and is expected to be held in custody until June 8. "The panel investigating the protests claims Bogatov posted several incitory messages on the sysadmin.ru forum; for example, one claim said he was asking people to bring 'bottles, fabric, gasoline, turpentine, foam plastic' to Red Square, according to a post at Hacker News. The messages were sent in the name of one Airat Bashirov and happened to be transmitted through the Tor node that Bogatov was running. The Hacker News post said Bogatov's lawyer had produced surveillance video footage to show that he was elsewhere at the time when the messages were posted.
"After Dmitry's arrest," reports the Free Bogatov site, "Airat Bashirov continue to post messages. News outlets 'Open Russia' and 'Mediazona' even got a chance to speak with him."

Earlier this month the Debian GNU/Linux project also posted a message of support, noting Dmitry maintains several packages for command line and system tools, and saying their group "honours his good work and strong dedication to Debian and Free Software... we hope he is back as soon as possible to his endeavours... In the meantime, the Debian Project has taken measures to secure its systems by removing Dmitry's keys in the case that they are compromised."

Posted
by
BeauHDon Friday April 28, 2017 @09:25PM
from the be-afraid-be-very-afraid dept.

An anonymous reader writes: "Mobile applications that open ports on Android smartphones are opening those devices to remote hacking, claims a team of researchers from the University of Michigan," reports Bleeping Computer. Researchers say they've identified 410 popular mobile apps that open ports on people's smartphones. They claim that an attacker could connect to these ports, which in turn grant access to various phone features, such as photos, contacts, the camera, and more. This access could be leveraged to steal photos, contacts, or execute commands on the target's phone. Researchers recorded various demos to prove their attacks. Of these 410 apps, there were many that had between 10 and 50 million downloads on the official Google Play Store and even an app that came pre-installed on an OEMs smartphones. "Research on the mobile open port problem started after researchers read a Trend Micro report from 2015 about a vulnerability in the Baidu SDK, which opened a port on user devices, providing an attacker with a way to access the phone of a user who installed an app that used the Baidu SDK," reports Bleeping Computer. "That particular vulnerability affected over 100 million smartphones, but Baidu moved quickly to release an update. The paper detailing the team's work is entitled Open Doors for Bob and Mallory: Open Port Usage in Android Apps and Security Implications, and was presented Wednesday, April 26, at the 2nd IEEE European Symposium on Security and Privacy that took place this week in Paris, France."

Posted
by
msmash
on Monday April 24, 2017 @04:40PM
from the high-threshold dept.

Linux kernel creator Linus Torvalds said over the weekend that v4.11 version of Linux has hit a speed bump in the form of "NVMe power management that apparently causes problems on some machines." The Register adds: "It's not entirely clear what caused the [NVMe] issue (it wasn't just limited to some NVMe hardware, but also particular platforms), but let's test it." Which sounds like a good idea, given that flash memory on the PCIe bus is increasingly mainstream. That problem and "a couple of really annoying" bugs mean that Torvalds has decided to do an eighth release candidate for Linux 4.11. "I did get fixes for the issues that popped up, so I could have released 4.11 as-is," Torvalds wrote, "but it just doesn't feel right."